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Abstract 

Many biometric template protection algorithms have been proposed mainly in two ap- 
proaches: biometric feature transformation and biometric cryptosystem. Security evaluation 
of the proposed algorithms are often conducted in various inconsistent manner. Thus, it is 
strongly demanded to establish the common evaluation metrics for easier comparison among 
many algorithms. Simoens et al.[ll] and Nagar et al.[l] proposed good metrics covering nearly 
all aspect of requirements expected for biometric template protection algorithms. One drawback 
of the two papers is that they are biased to experimental evaluation of security of biometric tem- 
plate protection algorithms. Therefore, it was still difficult mainly for algorithms in biometric 
cryptosystem to prove their security according to the proposed metrics. This paper will give a 
formal definitions for security metrics proposed by Simoens et al. [11] and Nagar et al. [1] so that 
it can be used for the evaluation of both of the two approaches. Further, this paper will discuss 
the relations among several notions of security metrics. 

1 Introduction 

One of the main issues in biometric authentication systems is to protect a biometric template 
database from compromise. Biometric information is so unique to each user and unchangeable 
during his or her lifetime. Once biometric template is leaked together with his or her identity, the 
person will face a severe risk of identity theft. Widely-used template protection systems for bio- 
metric authentication systems are tamper-proof hardware-based systems, where biometric template 
is stored in an ordinary storage as an encrypted form and decrypted only within a tamper-proof 
hardware when matching is required. In these systems, even if the database is compromised, bio- 
metric information never made public. However, the drawback of this conventional approach was 
the requirement of tamper-proof hardware, as it increases the deployment cost especially in high 
volume matching is required. To overcome this drawback, software-based template protection tech- 
niques are proposed recently in many literature[]. Software-based template protection schemes are 
categorized into 2 approaches |12j. feature transformation approach and biometric cryptosystems. 
Both of them introduces a user-specific key to transform a biometric template into a protected 
template. 
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1.1 Feature Transformation approach 

Feature transformation approach is first proposed in a paper written by Ratha, Connel and Bolle[T3] 
as Cancelable biometrics. In feature transformation approach, a randomness or key is introduced 
as a transformation parameter, and each original biometric feature is transformed into a deformed 
biometric feature. Main advantage of this approach is that it can take benefits from utihzing 
weh-studied high performance algorithms. Thus, the challenge in this approach is to design a 
transformation function satisfies both (1) that closeness in original biometric feature space should 
preserve in the transformed feature space and (2) that it is hard to recover the original biometric 
feature from the transformed feature. On the contrary that feature transformation approach can 
enjoy the benefit of high-performance algorithms, schemes in this approach tends to have difficulties 
in theoretical analysis of protection performance such as irreversibility and unlinkability discussed 
later. Thus, many papers give experimental evidence for security analysis. 

Ratha et al. |14j introduced the notion of Cancelable biometrics and proposed several schemes 
for fingerprint template protection [13]. Their approach is to displace fingerprint minutiae at differ- 
ent locations according to a irreversible locally smooth transformation. That is, a small change in a 
minutiae position before transformation leads to a small change in the minutiae position after trans- 
formation, but small correlation in minutia positions before and after transformation. Ratha et 
al.[T3] evaluated Accuracy (Section l3.ip for the recognition performance and IrreversibilityiSection 
14. ip for their schemes. They roughly estimated the complexity of irreversibility by the length of its 
binary representation. 

Teoh et al.'s BioHash|8j and its subsequent papers [U [HI [IT] proposed distance-preserving trans- 
formations for biometric feature vectors multiplied with an randomized orthogonal transformation 
matrix. The randomized orthogonal matrix woks as a user-specific key, it introduces a low false 
accept rate. Irreversiblity of BioHash is analyzed in [8] and [18j . In [8], irreversibility is discussed 
based on evidences from recognition performance (Section [3]) metrics such as accuracy (Section l3.ip . 
biometric performance (Section 13. 2p and diversity (Section 13. 3p . As argued later, for example, in 
the real world, a fingerprint left on a glass may be abused by a malicious user, then Diveristy 
seems to give the complexity of an adversary to find the correct key. However, this discussion only 
covers a weak adversary whose attacking strategy is specific. A stronger adversary may take other 
strategies such as finding the correct key by directly inverting the transformation function utilizing 
the stolen fingerprint, etc. Likewise, those recognition performance metrics are not suitable for the 
evaluation of protection performance. In [18], irreversibility is discussed theoretically and experi- 
mentally. Their experimental analysis is similar to [8]. In their theoretical analysis, irreversibility is 
defined as the complexity of finding an exact original biometric feature vector from a transformed 
template and its corresponding key. BioHash is a lossy function, hence it satisfies their notion of 
irreversibility with some security parameter. However, in the real situation, the adversary usually 
does not have to find an exact original biometric feature, but enough to find an biometric fea- 
ture which can be accepted by the biometric authentication system. The latter is trivially easy, 
given a transformed template and its corresponding key, randomly chosen biometric features will 
be accepted with probability FAR. Thus, more realistic notion of irreversibility is required. 

1.2 Biometric cryptosystem 

Biometric cryptosysm refers to a series of research motivated by fuzzy commitment and fuzzy vault 
proposed by Juels and Watenburg[TO] and Juels and Sudan[9] respectively. Instead of applying 
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sophisticated feature extraction and matching algorithms, they abstracted the metric space of 
biometrics matching as a hamming distance or a set difference respectively, and make use of error- 
correcting codes to check if the distance of two biometric features are within a correctable range. 
Dodis, Reyzin and Smith[5] generalized them to secure sketch covering any transitive metric space, 
that is, a metric space M has a family of permutations vr G IT such that IT is distance preserving: 
d{a, b) = (i(7r(a), 7r(6)) and for any two elements a,h ^ M. there exists vTj G H: 7ri(a) = h. 

None of them conducted experimental analysis both on recognition performance (Section [3]) and 
protection performance (Section [4]). Rather, irreversibility (Section 14. ip for their un-keyedsch.em.es 
are theoretically analyzed. They demonstrated that fuzzy schemes have strong irreversibility in a 
practical parameter setting, but introduced impractical assumptions. As shown in this paper, any 
un-keyed schemes cannot satisfy irreversibility in a practical setting for a biometrics application (see 
Theorem [2] in this paper). Those impractical assumptions are considered essential in the analysis. 
Namely, Juels and WatenburgjlO] assumes uniform distribution on biometric features, and Juels 
and Sudan [9] does not assume uniform distribution on elements in a set whereas assumes elements 
in a set are chosen independently. Dodis, Reyzin and Smith[5] evaluated irreversibility of secure 
sketch and fuzzy extractor with a general distribution on biometric feature, hence falls to insecure 
with a practical parameter setting for biometrics applications. 

Sutcu, Li and Memon[T5] applied a secure sketch[5] to a face recognition system, and measured 
biometric performance and estimated a lower-bound of irreversibility. They reported degradation 
of recognition performance introduced by secure sketch was negligible, but the lower-bound of 
complexity to break irreversibility was barely 20 bits. Arakala, Jeffers and Horadam[2] and Chang 
and Roy[3] applied to fingerprint recognition system and reported similar results. 

1.3 Related Security Metrics 

As we have seen until now, there are two separate line of research, and there exits a gap in the way of 
evaluation of recognition performance and protection performance between feature transformation 
approach and biometric cryptosystem. Thus, relations of security statements were ambiguous, and 
it was not easy to compare the security of proposed schemes. Recently, there are attempts to try 
to unify the evaluation methods and give metrics applicable to all biometric template protection 
schemes. 

Nagar, Nandakumar and Jain[T2] proposed such security metrics. Their security metrics con- 
sists of six items: FARuk, FARkk, IRIS, IRID, CMRj and CMRq. The first two items exactly correspond 
to our proposal, accuracy and biometric performance. IRIS, the Intrusion Rate due to Inversion 
for the Same biometric system, and IRID, the Intrusion Rate due to Inversion for a Different bio- 
metric system, are related to our metric of e-{P I ., AD} -pseudo-authorized leakage irreversibility in 
Definition HI Our metric gives the upper-bound of the intrusion probability for all probabilistic 
polynomial-time inverters, whereas IRIS and IRID give the intrusion probability for the best possi- 
ble inverter. IRIS and IRID can be evaluated experimentally, hence suitable metrics for algorithms 
in the feature transformation approach. However, IRIS and IRID should be considered that it gives 
the lower assurance in irreversibility., as far as there is no evidence that the best possible inverter 
used in the evaluation is the best of all probabilistic polynomial-time inverters. Similarly, CMRx, the 
Cross Match Rates in the Transformed feature domain, and CMRq, the Cross Match Rates in the 
Original feature domain, are related to our diversity and e-{PI , AD} -unlinkability, respectively in 
Definition [5l 



3 



Simoens, Yang, Zhou, Beato, Busch, Newton and PreneelpT] proposed nearly all aspect of 
requirements normally expected to template protection algorithms, namely from technical perfor- 
mance such as recognition accuracy, throughput and storage requirement, protection performance 
through operational performance. Based on their proposal, this paper focuses on the formal def- 
initions of the recognition performance and the protection performance for precise discussions. 
For recognition performance, their accuracy\ll\ and diversity\ll\ exactly corresponds to our bio- 
metric performance and diversity. Further, we introduced another accuracy which corresponds to 
FARuK in Nagar et al.[l2] to demonstrate the performance advantage of two-factor template protec- 
tion algorithms. For protection performance, their irreversibilitv^n] and unlinkabilitv[ll\ exactly 
corresponds to ours. Irreversibility^n] is further divided into full-leakage irreversibility, authorized- 
leakage irreversibility and pseudo-aurhorized-leakage irreversibility depending on the differences of 
goals for adversary. These three notions of irreversibility is formally defined and discussed their 
relations in Section 14.11 Unlinkability^l\ is defined as the false cross match rate (FCMR) and 
the false non-cross match rate {FNCMR). These rate is measured as the performance of a cross- 
comparator. Similarly, if one could give an upper-bound of FCMR and FNCMR for all probabilistic 
polynomial-time cross- comparator, then unlinkability can be theoretically evaluated with the high 
assurance level. On the other hand, if these rates are given experimentally for the best possible 
cross-comparator, unlinkability is evaluated with lower assurance level. These are discussed in more 
detail in Section [42l 

2 Preliminaries 

In this section, we will explicitly formulate biometric template protection {BTP) algorithms. In this 
paper, we discuss BTP algorithms utilizing a common modality and a common feature extraction 
algorithm. Namely we do not discuss BTP algorithms using multi-biometrics. 

Let U he a finite set consisting of all users who have biometric characteristics utilized in BTP 
algorithms. Assume that each user u £U has his/her own biometric characteristic bu and therefore, 
in the following, we identify u with b^ and use the notation u instead of bu, namely, the set can 
be regarded as a set consisting of all individuals' biometric characteristics. A biometric recognition 
system captures biometric samples from biometric characteristics presented to the sensor of the 
system, extracts biometric features from biometric samples, and verifies or identifies users by using 
their biometric features. We assume that each user's biometric features are represented as a digital 
element x £ M oi a finite set M. We call x a feature element of u. Since two feature elements 
generated from u are rarely identical, we let denote a random variable on M representing 
noisy variations of feature elements of u, namely P{Xu = x) is the probability that a biometric 
sample of captured from u will be represented as x. Let R be the set of all real numbers and let 
drA^xAl— T-Rbea semimetric function on M, namely the real- valued function d satisfies the 
following three conditions: 



for all x,y € M. Then Ai is called a semimetric space associated with d. For any x G A^, 
M.r{x) = {x' I d{x,x') < r} is called the t -neighborhood of x. Let / be an algorithm (or a 



(i) 

(ii) 
(iii) 



d{x,y) > 

d{x, y) = if and only if x = y 
d{x,y) = d{y,x) 
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function) on Ai whose input x £ M is chosen according to a random variable X. Let f{X) denote 

$ 

a random variable induced on the image of /. For any set T, the notation t T denotes that t is 
chosen from the set T uniformly at random. For any random variable X on a set M, the notation 
X X denotes that x is chosen according to X. For any function / on the set Ai, the notation 
E f{x) denotes the expected value of / under the condition that x is chosen according to the 

x<—X 

random variable X, namely 

E,/(^)= ^Pr{X = x]f{x). 

xGM 

In particular, 

x] Pr[an event of x \ X = x] 
X, an event of x] . 

Traditional biometric comparison algorithms are assumed to utilize an ordinary comparison method 
which, for an enrolled feature element and a freshly extracted feature element x' during verification, 
decides match if d{x,x') < r, and otherwise non-match by using a decision threshold r. Then, the 
false non-match rate FNAdR^Kr and the false match rate FMR^Kt are formulated as follows: 

FNMRd<r = E Pr [d{x, x') > t] (1) 

u 

X, x' <— Xn 

FMRdKr = E Pr[d(a;,y) < r] . 

(n, v) t{Ux W)diff 
X <— A u , J/ <— A „ 

where {U x U)'^^^ = {{u,v) xU \ u v} and denotes the number of elements of U. 



E Pr[an event of x] = Pi[X 



x^X 

xGM 



xpM 



Biometric template protection algorithms We will give a explicit formulation of biometric 
template protection (BTP) algorithms as follows. 

Definition 1 (BTP algorithms). A biometric template protection (BTP) algorithm H is a tuple of 
polynomial-time algorithms Gen, PIE, PIR, PIC, namely H = (Gen, PIE, PIR, PIC). Let Gen is 
an algorithm which on input 1^ returns a finite set U of biometric characteristics, the associated 
random variables Xu, u G U, over a semimetric space Ai, and the public parameters p, where k 
is a security parameter. Let PIE be a randomized algorithm which on input x € M returns a pair 
(7r,a) of two data vr G A^pi and a G A^ad, where A^ad cli"^ finite sets. The algorithm PIE is 
called a pseudonymous identifier encoder. The first output vr (resp. the second output a of PIE is 
called a pseudonymous identifier (PI) for enrollment (resp. auxiliary data (AD)) and is denoted by 
TT = PIEi(x) (resp. a = PIE2(x)). The algorithm PIE can be regarded as a pair of two randomized 
algorithms PIEi and PIE2. 

In the enrollment phase, a biometric characteristic u £ U is submitted to the system, a feature 
element x £ M is generated according to the distribution X^, PIE outputs (vr, a) on input x, and 
vr and a are stored in storages. Note that vr and a are not necessarily stored together in the same 
storage. 
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Let PIR be a deterministic algorithm which, on input a G Mad o-nd x' £ M, returns a data vr' € 
A4pi for verification, where Mpi is a finite set. The data vr' = PIR(a, x') is called a pseudonymous 
identifier for verification. Let PIC be a deterministic algorithm which, on input vr E A^pi and vr' E 
M'pi, returns either match or non-match. The algorithms PIR and PIC are called a pseudonymous 
identifier recorder and a pseudonymous identifier comparator, respectively. 

In the verification phase, a biometric characteristic u £ U is freshly presented to the system, a 
new feature element x' € M is generated according to X^. The verification entity receives a P/vr, 
an AD a and x' , computes it' = PIR(a,x'), and outputs PIC(vr,vr') E {match, non-match} . 

Note that the terms, pseudonymous identifier (PI), auxiliary data (AD), are defined in ISO/IEC 
24745 [6] (cf. |11]). A pseudonymous identifier (PI) is defined to be a set of data that represents 
an individual or data subject within a certain domain by means of a protected identity and is used 
as a reference for verification by means of a captured biometric sample and auxiliary data. It is 
desirable that the PI does not allow the retrieval of the enrolled biometric feature element and 
multiple "unlinkable" Pi's can be derived from the same biometric characteristic. Auxiliary data 
(AD) is defined to be a set of data that can be required to reconstruct pseudonymous identifiers 
during verification. In some scheme, AD depends on the enrolled biometric feature element. 

A pair (vr, a) of PI and AD is called a protected template (PT) in jllj or a renewable biometric 
reference in [6]. In in general, PTs are assumed to be public. However, most existing BTP 
algorithms require secrecy of PT. Because, in the real world, for some modalities (e.g. fingerprint, 
iris, face and so on) there are many public large databases, and therefore, the adversary can find a 
matching sample by entirely running such a database against a stolen PT. Therefore, in this paper, 
both Pis and ADs are assumed to be secret information. Each user's PI and AD are separately 
stored in different storages, for example, in application to 2-factor authentication systems, every 
PI is stored together with each user's ID in the database and each user's AD is stored in the user's 
smart card. We will discuss the recognition performance and the security performance when one of 
(or both) PI and AD is leaked. Simoens et al. [11] regard such a data separation as an additional 
property of BTP. 

Definition 2 (2-factor BTP). We will define a 2-factor BTP authentication algorithms in which 
a biometric characteristic is the first authentication factor. There are two possibilities from the 
viewpoint of data separation. A scheme which utilizes ADs as second factors and stores Pis for 
verification in the database is called a AD-2-factor BTP. Reversely, a scheme which utilizes Pis for 
verification as second factors and stores ADs in the database is called a PI-2-factor BTP. 

3 Recognition performance for BTP algorithms 

In this section, we especially focus on recognition performance as technical performance of BTP 
algorithms 11. For the simplicity, we will fix a security parameter k. Therefore, a set U of biometric 
characteristics, the associated random variables X^, u £ll, and the public parameters p are fixed. 

3.1 Accuracy 

For any biometric template protection (BTP) algorithm 11 = (PIE, PIR, PIC), the false non-match 
rate of 11, FNMRjj, is the probability that a mated pair of PT and biometric sample are falsely 
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declared to be non-match, namely, 

FNMRn = E Pr [ PIC(7r, PIR(a, x)) = non-match ] 

u -$-14 

(7r,a) ^ PIE{X„) 

Here, we will define recognition accuracy metrics for 2-factor BTPs, which are called total perfor- 
mance and naturally introduced from the notion, data separation, discussed by Simoens et al. [11^ 
Section 4.4]. The false match rate for total performance of AD-2-factor BTP (resp. PI-2-factor 
BTP) n, FMR^^^ (resp. FMR^^^), is the probability that a zero-effort impostor's presentation 
of his own biometric characteristic u gU along with a 2nd factor a £ A4ad (resp. vr E A^pi) gen- 
erated from u is falsely declared to match a non-mated reference data vr € Aipi (resp. a G A^ad) 
generated from a biometric characteristic v G U\{u}. The metrics FMi^^^^D ^^-^Wpi 
respectively formulated by 

FMi?5^AD= E Pr [ PIC(7r',PIR(a,a;)) 

in,a) ^PIE(X„) 
{n',a') ^ PIE(X„) 

FMR^^P^= E Pr [ PIC(7r,PIR(a',x)) 

iu,v) ^ (U xUf'^ 

X ^ Xu 

(7r,Q) <-PIE(X„) 
(7r',a') ^ PIE(X„) 

Nagar et al. [l] propose these metrics as the false accept rate with unknown transformation pa- 
rameters, FARijK- 

By measuring the above metrics, FNMR-n, FMRji ^j-,, and FMRji pj, we can totally evaluate the 
recognition performance of 2-factor BTPs. However, a 2-factor BTP can achieve a high recognition 
performance when the recognition accuracy contributed by one factor is high, even if the recognition 
accuracy contributed by the other factor is poor. Therefore, we need to evaluate the recognition 
accuracy achieved only by using one factor. In the following sections. Section [3.21 and 1 3.31 we will 
define metrics for such recognition accuracy. 

3.2 Biometric Performance 

In this section, we will define a metric for the recognition accuracy achieved only by the 1st factor, 
biometrics. The false match rate for biometric performance of H, FMRf^ , is the probability that 
a zero-effort impostor's presentation of his own biometric characteristic u £U along with a correct 
2nd factor is falsely declared to match a genuine reference data. Then the metric FMR^ is 
formulated by 

FMR^^ = E Pr[PIC(7r, PIR(a,rE)) = mate/i] . 

(it, v)^{U X W)diff 

X -(^ Xu 

(vr.a) ^ PIE(X„) 

Simoens et al. [11] discussed this metric as an ordinary recognition accuracy metric, the false 
match rate, because they mainly consider biometric-based single factor authentication systems 



= match 



= match 
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which stores Pis and ADs in the database. Moreover, Nagar et al. [T] propose this metric as the 
false accept rate with known transformation parameters, FARkk- 

This metric can be regarded as a metric for security against impersonation when a user's 2nd 
factor is leaked. In the above notion, biometric performance, the adversary assumed to be very 
weak, namely he presents his own biometric characteristic along with obtained genuine user's 2nd 
factor. However, in order to strictly evaluate security against impersonation, we need to define a 
stronger attack model. We would discuss such a rigorous security in another paper in preparation. 

3.3 Diversity 

Diversity is the notion which ensures renewability for 2-factor BTPs. Namely, after a FT generated 
from u G is renewed, a presentation of u along with the old 2nd factor should not be declared 
to match the new reference data. Diversity is also the property that PTs should not allow cross- 
matching across databases in different authentication systems, (cf. [3 HI], [H Sect. 3.3], [HI Sect. 
3.5]). We will define a metric for diversity as follows. The false match rate for diversity of BTP 
algorithm 11, FMR}^^ , is the probability that a presentation of a biometric characteristic u ^ U 
along with a 2nd factor generated from u is falsely declared to match a new reference data freshly 
generated from the same u. The metrics FMR^^ is formulated by 

FMR^'' = E Pr [ PIC(7r,PIR(a',a;)) = match ] . 

u 

X Xu 

{■K,a) ^PIE(X„) 
(7r',Q') ^PIE(X„) 

Nagar et al. [1] proposes this metric as the cross match rate, CMR. Here we consider the corre- 
sponding entropy H = —logFMR)^^ . Then, it indicates that the distribution of PTs generated 
form a biometric characteristic are almost the same as the uniform distribution on H-b\t binary 
strings, namely 2^ independent PTs can be generated from a biometric characteristic. Simoens et 
al. [llj propose the number of such "independent" PTs as a metric for diversity. 

Diversity can be regarded as a metric for security against impersonation when a user's biometric 
characteristic is leaked. For example, in the real world, a fingerprint left on a glass is abused by 
a malicious user. However, in the above diversity notion, the adversary assumed to be very weak, 
namely he submits a 2nd factor randomly generated from the obtained biometric characteristic. 
By using the obtained biometric characteristic, a stronger adversary might be able to find a 2nd 
factor which makes PIC return match with extremely higher probability. We would discuss such a 
strict security notion in another paper in preparation. 

4 Protection peformance for BTP algorithms 
4.1 Irreversibility 

Suppose that the adversary obtains (a part of) a PT leaked from the database or from the user's 
storage devices. The adversary might be able to recover a feature element close to the original 
feature element from which the PT is generated. Form the recovered feature element, he might 
create a physical spoof of the user's biometric characteristic and impersonate the user by presenting 
the fake biometric characteristic to the system. Irreversibility is a requirement that it should be 
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hard to recover an original feature element (or a neighborhood of it) from (a part of) a PT, which 
ensures the security in the case of leakage of PTs. 

For each nonempty subset A 7^ of the terms {PI, AD} and any PT (vr, a), let (vr, a)\ denote 
a subset of {vr, a} defined by (vr, a){p/^^£i} = {it, a), {7r,a)^pjy = vr, and (7r,a){^£)} = a. We call 
(vr, a)A a K-suhset of (vr, a) 

We will define a irreversibility game {IRR Game) between the challenger Ch and the adversary 
A = (^1,^2)5 where Ai is a probabilistic polynomial-time (ppt) adversary which is given the 
algorithms and the parameters of IT and sends a state to A2, and A2 is a ppt adversary who is 
given a A-subset of a PT generated from an feature element x £ M extracted from a randomly 
chosen biometric characteristic and attempts to guess (a neighborhood of) the original feature 
element x. 

Recently, for most major modalities, there are many databases available to the public. There- 
fore, it is natural to assume that the adversary easily obtains a huge database of biometric samples. 
In this case, the adversary can performs an offline attack and successfully find a target feature 
element. In order to formulate such a practical situation, we will define an oracle from which 
the adversary can obtain feature elements corresponding to biometric characteristics submitted as 
queries. More precisely, let Samp be an oracle which, on input u £ U, chooses x £ M accord- 
ing to Xu and returns x. We assume that the challenger and the adversary are allowed to make 
polynomial-time queries to Samp before he returns his guess. 

For any subset <p ^ A C {PI, AD} and any real number r > 0, we define A-t- authorized leakage 
game (A-AL.,- IRR Game) (resp. A-pseudo authorized leakage game {A-PAL IRR Game)) as follows. 

A-AL^ IRR Game (resp. A-PAL IRR Game) 

Step 1. The challenger Ch inputs l'"' into Gen and Gen returns U, X^, u ^lA, and the parameters 
p. The challenger Ch sends (p, A,r) (resp. (p. A)) to the adversary ^1. 

Step 2. The adversary Ai receives (p. A, r) (resp. (p. A)) and sends a state s to A2- The adversary 
Ai is allowed to make polynomial-time queries to Samp before he sends s to A2- 

Step 3. The challenger Ch chooses a biometric characteristic u £U uniformly at random, submits 
u to the sampling oracle Samp, and gets a feature element a; G 7W as an answer from Samp. 
The challenger Ch inputs the feature element x into PIE, gets the output (7r,a), and sends 
(vr, a)A to the adversary A2- 

Step 4. The adversary A2 receives the state s and (vr, a)\ from ^1 and Ch, respectively, and 
returns x' G Ai. The adversary A2 is allowed to make polynomial-time queries to Samp 
before he returns his guess. 

If d{x,x') < T (resp. PIC(7r, PIR(a, x')) = match), then the adversary A = (^1,^2) wins. 

Traditional biometric recognition algorithms, which do not use BTP algorithms, determines 
decision thresholds r to minimize the false non-match rate FNMRd<T or the false match rate 
FMRd<i^ (cf. ([H)). If the adversary obtains a A-subset of a PT and successfully recovers a feature 
element close to the original feature element, then he can impersonate the user in traditional 
authentication systems. Since some BTP algorithms might accept feature elements outside the 
T-neighborhood of the original feature element, the adversary in A-PAL IRR Game might find a 
feature element x' such that PIC(7r, PIR(q;, x')) = match but d{x,x') > r. 
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For any feature element x & Ai, the match rate of the feature element x with respect to d < t 
(resp. the reverse match rate of the feature element x) MRd<r{x) (resp. rMRYi{x) ) is the probability 
that a feature element x' € A4 (resp. a PT (7r,a)) generated from a randomly chosen biometric 
characteristic u G U satisfies d{x,x') < r (resp. PIC(7r, PIR(q, x)) = match), which is formulated 
by 

MRd<r{x) = E Pr r d{x,x') < r 1 (2) 

x' ^ X{U) 

rMRu{x) = E Pr r PIC(7r, PIR(q, x)) = match 1 . (3) 

(7r,Q) <- PIE(X(W)) 

Put md<T = max Mi?rf<T-(x) and mn = raax. rMRii{x) . In A-AL,- IRR Game (resp. A- PAL IRR 

~ X ~ X 

Game), the optimal strategy of an adversary A! who is not given {TT,a)\ is to return a feature 
element x satisfying MRd<T{x) = md<T (resp. rMRuix) = mn) and then the success probability 
of the adversary A' is equals to md<T (resp. mn). Therefore, the advantage Adv^"^^^ (resp. 
Advn^^"^^ ^^^) of the adversary A is defined by 

Adv^^^^" = P^I-^ ™ A-AL^ IRR Game wins] - md<r 

Adv^^;^^^ = Pr[^ in A-PAL IRR Game wins] - mn 

Definition 3 (Authorized-leakage irreversibility (cf. |11])). We say that a BTP algorithm Yi is 
e-A-T-authorized-leakage irreversible (e-A-AL,- IRR) i/ Adv^"^^"" < e for any ppt adversary A. 

In particular, we say that U is e-A-full-leakage irreversible (e-A-FL IRR) if Adv^"^^° < e for 
any ppt adversary A. 

Definition 4 (Pseudo-authorized- leakage irreversibility (cf. [H])). We say that a BTP algorithm 
n is e-A-pseudo-authorized-leakage irreversible (e- A-PAL IRR) if Advn'^^'^ < £ for any ppt 
adversary A. 

The above definitions immediately implies the following theorem. We omit the proof. 

Theorem 1. Fix any nonempty subset A C {PI, AD} and any real numbers e > and r > 0. // 
a BTP algorithm H is e-A-ALr IRR, then II is {e + md<r ~ "irf<o)-A-FL IRR. 

Moreover, assume that r satisfies the condition that, for any x £ M and any PT {TT,a) generated 
from X, PIC(7r, PIR(a, x')) = match if d[x,x') <t. If a BTP algorithm 11 is e-A-PAL IRR, then 
n is (e + mpj — md<r)-A-^-^r IRR- 

Simoens et al. [TT] also introduce the above metrics, FL IRR, AL IRR, and PAL IRR, as the 
difficulty of determining (a neighborhood of) the original feature element. Note that, in the attack 
model in [11] the adversary is given the whole PT. Here, we discuss unachievability of PAL IRR 
in the case when the adversary is given a whole PT, namely A = {PI, AD}. Actually, when the 
adversary obtains both the PI and the AD, he can find a target feature element with extremely 
high probability by making a certain amount of queries to Samp. We will more precisely discuss 
as follows. 

For any PT (vr, a) € Mpi x A^aDj the match rate of the PT (vr, a), MRyi{tt, a), is the probability 
that a feature element x' £ M generated from a randomly chosen biometric characteristic u £ U 
satisfies PIC(-7r, PIR(a, x')) = match, which is formulated by 

MRu(7r,a)= E Pr rPIC(7r, PIR(a, x')) = mate/il . 

x' ^ X{U) 
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The MRYi{Tr,a) can be regarded as a random variable over the distribution of (7r,a). Let MRjj 
denote the average of MRYi{TT,a), namely 



MRu= E MRu{TT,a) . 

(it, a) <- PIE(X(W)) 

Let a is the standard deviation of the MRii{Tr,a). Then, from Chebyshev's inequahty, we have 



Pr 



MRu{TT,a) > MRu — ^ 



>l-6 (4) 



for any 6 > 0. For the simplicity, we assume that MRu and a are constants independent of the 
security parameter k. Let C be the variation coefficient of MRYi{TT,a), namely C = . Assume 

that C < 1. 

Theorem 2. For all e < I - C'^ - mn, there exists no e-{PI, AD}-P^L IRR BTP algorithm. 

In general, more accurate BTP algorithms LI have smaller C. Therefore, Theorem [2] states that 
accurate BTP algorithms are unlikely to achieve sufficient irreversibility when both PI and AD are 
compromised. 

We will prove Theorem [2] in Appendix [Al We can also similarly prove unachievability of AL 
IRR when the adversary is given the whole PT under the assumptions slightly different from the 
case of PAL IRR. However, we omit a precise description of the statement and the proof in this 
e-print and will describe them in the full paper. 



4.2 Unlinkability 

For any nonempty subset A C {PI, AD}, we will define A-UNLINK Game between the challenger 
Ch and the adversary A = (^i, ^2)) where A is given A-subsets of two PTs and attempts to guess 
whether the PTs are generated from the same biometric characteristics or not. In this game, Ch 
and A are allowed to make polynomial-time queries to the sampling oracle Samp. 

A-UNLINK Game 

Step 1. The challenger Ch inputs 1^ into Gen and Gen returns lA, X^, u ^U, and the parameters 
p. Ch sends (p, A) to the adversary Ai. 

Step 2. The adversary Ai receives (p. A), outputs three feature elements x, xq, x\ depending on 
a distribution selected by A\^ sends (x,xo,xi) to Ch, and sends a state s to A^^ where s 
contains (x,xo,a;i). The adversary ^1 is allowed to make polynomial-time queries to Samp 
before he sends s to ^2- 

Step 3. The challenger Ch flips the random coin h G {0,1}, inputs X}j into PIE, gets PT = 
PIE(a;) and PT' = PIE(xb), and sends (PT)a and {PT')a to the adversary A2. 

Step 4. The adversary A2 receives the state s and {PT)\ and {PT')\ from ^1 and Ch, and returns 
h' E {0, 1} as a guess of h. The adversary A2 is allowed to make polynomial-time queries to 
Samp before he returns his guess. 
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If b' = b, then the adversary A = (^1,^2) wins. The advantage Adv^ ^^^^^^^ of the adversary A 
over the random guess is formulated by 

Advf^;^NLiNK = 1 2 Pr wins] - 1 1 (5) 

Definition 5 (Unhnkabihty) . We say that a BTP algorithm 11 is e-A-unhnkable (e-A-UNLINK), 
«/ Advn^^^'"™^ < £ for any ppt adversary A. 

Here, we wih show unachievabihty of unhnkabihty when both PI and AD are compromised. 

Theorem 3. Assume that, for any x € M and any PT (vr, a) generated from x, PIC(7r, PIR(a, x)) = 
match. For any e < 1 — MRu, there exists no e-{Pl, AD}-UNLINK BTP algorithm. 

In general, more accurate BTP algorithms 11 have smaller MRu- Therefore, Theorem [3] states 
that accurate BTP algorithms are unlikely to achieve sufficient unhnkabihty when both PI and AD 
are compromised. 

We will prove Theorem [3] in Appendix lAl 

Simoens et al. [11] define a metric for unhnkabihty by using the false cross match rate {FCMR) 
and the false non-cross-match rate {FNCMR). They define an adversary A'^'^ = {A'i.,A'2)-, who 
is called the cross-comparator. In A-UNLINK Game, the adversary A'l chooses a pair (u, v) G 
{U X U)'^^^ of two different biometric characteristics, submits u to Samp independently twice, and 
receives x and xq respectively as the answers of two queries, moreover submits v to Samp, and 
receives xi as the answer, sends (x,xo,xi) to Ch, and sends a state s containing {x.,xq.,xi) to A2^. 
The adversary Af receives the state containing (x, xo,xi) and (PTi)/^ and {PT2)\ from Af and 
Ch, respectively, and returns b' G {0, 1} as a guess of b. 

The false cross match rate [FCMR) (resp. the false non-cross-match rate {FNCMR)) is the 
probability that, when 6=1 (resp. 6 = 0), the cross comparator A^'^ falsely guesses that 6' = 
(resp. 6' = 1), which is formulated as follows: 

FCMR^^F^^ = E Pr[^'=^ returns in A-UNLINK Game] 

{PT)a ^ PIE(X„) 
{PT')a ^ PIE(X„) 

(resp. FNCMR^-^P^^ = E Pr[^='^ returns 1 in A-UNLINK Game] j . 

{PT)a ^ PIE{Xu) 
{PT')a ^ PIE(X„) 

The advantage Adv^'^S^™^ of the cross comparator can be interpreted as follows: 

Adv^^;UNLINK =\l-{ FCMi2f\;UNLINK ^ i^TVCMi^f^^UNLINK ) | 



5 Relations among security notions 

In this section, we will clarify relations among security notions, irreversibility and unlinkabil- 
ity, defined in the previous sections. We will prove that unhnkabihty is a stronger notion than 



12 



authorized-leakage irreversibility. Therefore, unlinkability gives more rigorous assurance on privacy 
than irreversibility. Before describing the precise statement, we will prepare some notations. 

Let Pt{x) be the probability that the r- neighbor hood of x' chosen according to the distribution 
X{IA) has non-empty intersection with Mt{x), namely 

Pr{x) = E ¥l[Mr{x) n Mr{x') / (j)] . 

X ^ X{U) 

Note that, for any r < r', Pr{x) < Pt-'{x). Put = maxPT-(x) and Qr = minPT-(x). Note that, for 

X X 

any t < t', p-,- < Pr' and Qr < Qr', and qq < < po and the equality is attained if and only if 

X{U) is a uniform distribution. 

Theorem 4. For any nonempty subset A C {PI, AD}, if a BTP algorithm IT is e-A- UNLINK, then 

. £ + {Pr - qT)md<r ^ AT TT?T?f 

11 IS = A-ALr IRR for any r > 0. 

l-Pr 

We will prove Theorem [J] in Appendix [Q 

From Theorem [1] and Theorem HI we have the following figures, Figure [1] and Figure [21 which 
indicate relations among irreversibility and unlinkability when A = PI and A = AD, respectively. 
The notation A — > B means that the notion A is stronger than the notion B. We avoide to show 
the figure in the case of A = {PI, AD}, because, as mentioned after Theorem [2] and Theorem [3l 
accurate BTP algorithms are unlikely to achieve sufficient irreversibility or unlinkability when both 
PI and AD are compromised. 

PI-FL IRR AD-FL IRR 



PI-AL IRR i PI-UNLINK AD-AL IRR i AD-UNLINK 



PLPAL IRR AD-PAL IRR 

Figure 1: Relations among security notions Figure 2: Relations among security notions 
when only PI is compromised. when only AD is compromised. 
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A Proof of Theorem [2] 

In this appendix, we will explicitly prove Theorem [2l 

Proof of Theorem^ Put A = {PI, AD}. We need to prove that, for any constant 7 satisfying 
< 7 < 1, there exists an adversary A satisfying Pr[^ in A- PAL IRR Game wins] > 1 — 7. We 

will define an adversary A2 who obtains a PT (vr, a) from the challenger Ch, makes polynomial-time 

queries to the sampling oracle Samp, and returns a guess x' £ Ai. 

Fix a constant 6 satisfying < 5 < 7. Put fi = MRn j=. Since < ;U < 1 and ;U is a 

constant, there exists a constant number A'^^ such that (1 — fi)^ < for all N > Ns- The 

1 — 

adversary A repeats the following processes from Step 1 to Step 3 at most A^^^ times. 

Step 1. The adversary A2 chooses a biometric characteristic v uniformly at random. 

Step 2. The adversary A2 sends to the sampling oracle Samp and gets a feature element x' from 
Samp. 

Step 3. The adversary A2 checks whether PIC(7r, PIR(a, x')) = match or non-match. 

If PIC(7r, PIR(a, x')) = match in the Step 3 during the repetition of the above processes, then A2 
finishes the processes and returns x' . 

We say that a PT {it, a) is good if Mi?n(7r,a) > fi. If the adversary A2 is given a good PT 
(vr, a), then the probability that A2 gets a feature element x' satisfying PIC(7r, PIR(a, x')) = match 

f — T 

during the A'^-time repetition of the above steps is greater than or equal to 1 — (1 — /i) * > r. 

1 — 

From (jH), the probability that A2 is given a good PT {it, a) is greater than or equals to 1 — 5. 
Therefore, we have 

1-7 

Pr[^ in A-PAL IRR Game wins] > {1 - 6) x '- = 1 - 7 . 

1-0 

Therefore, the result follows. □ 



B Proof of Theorem [3] 

In this appendix, we will explicitly prove Theorem [3l 

Proof of Theorem^ It is sufficient to show that there exists an adversary A in {PI, AD}-UNLINK 
Game whose advantage is equal to 1 — MRu- We define such an adversary A = (^i, ^2) as follows. 

The adversary Ai. 

The adversary ^1 receives (p, {PI, AD}) from the challenger Ch, independently chooses three 
biometric characteristics u,uo,ui £ U uniformly at random, makes queries ti, «o,«i to Samp, 
gets three feature elements x, xq, xi from Samp, respectively, sends (x,xo,xi) to Ch, and 
sends a state s' = {{x, xq, xi), p, {PI, AD}) to A2. 

The adversary A2- 

The adversary A2 receives the state s' = {{x, xq, xi), p, {PI, AD}) and PT = (vr, a) and PT' = 
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(7r',a') from and Ch, respectively. When PIC(7r', PIR(a', xi)) = non-match, A2 puts b' = 
0. When PIC(7r', PIR(a', j;o)) = non-match, A2 puts b' = 1. When PIC(7r', PIR(a', xq)) = 
match and PIC(7r', PIR(q', xi)) = match, A2 chooses b' from {0,1} uniformly at random. 
Finally A2 returns b' . 

From the assumption in the statement of Theorem[3l if (vr', a') = PIE(2;o) (resp. (tt', a') = PIE(j;i)), 
then PIC(7r', PIR(a', xo)) = match (resp. PIC(7r', PIR(a', xi)) = match). Therefore, when 6 = 0, 
there are the following two cases in which A correctly returns b' = 0. 

Case 1. PIC(7r', PIR(a', xi)) = non-match 

Case 2. PIC(7r', PIR(a', xi)) = match and 6' = is chosen from {0, 1} with probability — . 

Therefore, the probability that, when 6 = 0, the adversary A correctly returns 5' = is estimated 
as follows: 

Pr[^ returns 6' = I 6 = 0] = E Pr [ PIC(7r', PIR(a', xi)) = non-match 1 

{xo,xi) i- X{U) X X{U) 
(tt'.q') ^ PIE(xo) 



+ E Pr 

{xo,xi) <- X{U) X X{U) 
(tt'.q') ^ PIE(xo) 

=(1 - MRn) + ^ MRn = 1 " ^ MRn . 



PIC(7r',PIR(a',xi)) = match 
b' = 0t {0, 1} 



The success probability of A when 6 = 1 is similarly estimated as follows: 



Pr[^ returns 6' = 1|6=1] = 1- ^ MRn 



Hence, we have 



Adv^^S"^™^ = |2Pr[^ in A-UNLINK Game wins] - l| = |2(1 - ^ MRn) - l| = 1 - MRn 
Therefore the result follows. □ 



C Proof of Theorem |4] 

In this appendix, we will explicitly prove Theorem [H 

Proof of Theorem \^ Put e' = ~^ — — . It is sufficient to show that if there exists an 

l-Pr 

adversary A in A-AL,- IRR Game whose advantage is greater than or equal to e' , then there exists 
an adversary B in A-UNLINK Game whose advantage is greater than or equal to e. Suppose that 
there exists an adversary A = (^1,^2) satisfying Adv^"^^^ > e' in A-AL^ IRR Game. We 
define an adversary B = {Bi,B2) in A-UNLINK Game as follows. 
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The adversary Bi. 

The adversary Bi receives (p,A) from the challenger Ch, inputs (p,A) into the adversary 
Ai, and obtains a state s as an output of ^i(p, A). Then, Bi independently chooses three 
biometric characteristics u, uo,ui G U uniformly at random, makes queries u,uq,ui to Samp, 
gets three feature elements x, xq, x\ from Samp, respectively, sends (x,xo,xi) to Ch, and 
sends a state s' = ((x, xq, xi), s) to B2- 

The adversary 

The adversary B2 receives the state s' = ((x, xq, xi), s) and (-PT)a and {PT')\ from Bi 
and Ch, respectively. When A^t-(xo) n A^t-(xi) = (j), B2 inputs s and {PT')/^ into A2 and 
obtains a feature element x' as an output of A2{s, {PT')\). If d(xo,x') < r, then b' = 0, if 
d(xi,x') < r, then 6' = 1, otherwise b' is chosen from {0,1} uniformly at random. When 
A^T-(xo) CiMrixi) 7^ (f>, b' is also chosen from {0, 1} uniformly at random. Finally B2 returns 
b'. 

When 6 = 0, there are the following three cases in which the adversary B correctly returns b' = 0. 

Case 1. AiT-ixo) CiMrixi) = 4) and A2 guesses a feature element x' satisfying (i(xo,x') < r. 

Case 2. A^t-(xo) r\ Mr{xi) = (/>, A2 guesses a feature element x' satisfying (i(xo,x') > r and 
d(xi,x') > r, and 6' = is chosen from {0, 1} with probability — . 

Case 3. M.^[xq) n M.^[xi) ^ (j) and 6' = is chosen from {0, 1} with probability ^. 

Therefore, the probability that, when 6 = 0, the adversary B correctly returns 6' = is expanded 
as follows: 

Pr[B returns 6' = | 6 = 0] 

Mr{xo) n A^^(xi) = 4> 
A2{iPT')A) = x',d{xo,x')<T _ 

PT' ^ PlE(xo) 

+ E Pr 

{xo,xi) ^ X{U) X X{U) 
PT' ^ PIE(xo) 



Mr{xQ) r^ Mr{xi) / 4> 
6' = ^ {0, 1} 

PT' ^ PIE(a-,)) 

Since Vi[Ei n (^^2 n ^£^3)] > Vt[Ei] - {Vt[Ei n E2\ + Vi[Ei n £^3]) for any events £1, £2, and £3, 



E Pr 
fa;n,a;i) ^ XiU) x X(U) 



Mt{xq) r\MT{xi) = 4> 

A2{{PT')a) = x',d{xo,x') > r, d{xi,x') > r 
6' = ^ {0, 1} 



+ E Pr 

{xo,xi) ^ X{U) X X{U) 
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the second term is estimated as follows: 



Pr 



7W^(xo) n7W^(xi) = 
A2i{PT')A) = x',d{xo,x') > T, d{xi,x') > T 

6' = 0<^{0,1} 

Mr{xo) n Mr{xi) = (j) 



>- ( ¥l[Mr{xo)r\Mr{xi) 



Pr 



A2{{PT')K)=x\d{xQ,x') < T 



Pr 



Mt{xq) n Mr{xi) = (p 
A2{iPT')A)=x',d{xux')<T 



Therefore, we have 



Pr[S returns b' = 0\b = 0] 
( 



1 

>- 
-2 



E Pr 

{xo,Xi_) ^ X{U) X X{U) 
\ PT' ^ PIE(a;o) 



Mrixo) n Mr{xi) = 4> 

A2{{PT')A)=x',d{xo,x')<T 



- E Pr 

{xo,xi) ^ X{U) X X{U) 
PT' ^ PIE(a;o) 

By the definitions of Pr and qr, we have 

Pr[^ returns 6' = | 6 = 0] 



MT{xo)nMr{xi) = (j) 

A2{{PT')A)=x',d{xi,x')<T 



+ 1 



1 

>- 
-2 



(1-Pr) E 

xo ^ X{U) 
PT' ^ PIE(a;o) 



¥T[A2{{PT')A)=x',d{xo,x')<T] 



-{l-qr) E VT[A2{{PT')A)=x',d{xi,x')<T] + l 

xi ^ X{U) 
PT' ^ PIE (a;,)) 



Since A2 is only given independent information from xi £ the probability that A2 guess a 
feature element x' contained in the r-neighborhood to xi is at most md<T- Consequently, we have 

Pr[S returns 6' = | 6 = 0] > ^ (^(1 - p^) Pr[^ in A-AL^ IRR Game wins] - (1 - qr)md<r + l) • 

We can similarly estimate the success probability of B when 6 = 1 as follows: 

Pi[B returns b' = 1 \ b = 1] > ^(^{1 - Pr) Pr[^ in A-AL^ IRR Game wins] - (1 - qr)md<r + ■ 
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Finally, the advantage of the adversary B is calculated as follows: 

Adv^^^g'^L™^ =|2Pr[i3 in A-UNLINK Game wins] - l| 

>|(1 — Pt) Pt[A in A-ALt- IRR Game wins] — (1 — qT)n^d<T\ 

= 1(1- pr) Adv^- f^ I^^^^ -ipr - qr)m,^r \ 
>|(1 -Pr)e' - {Pr - qT)'md<r \ = £ • 

Therefore the result follows. □ 
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